User/lsh/security review (#486)

* Update azure-pipelines-ci.yml for Azure Pipelines

azure-pipelines-ci.yml

@@ -15,6 +15,8 @@ variables:
   value: 'windows-latest'
 - name: fullBuild
   value: $[ne(variables['Build.Reason'], 'PullRequest')]
+- name: securityScan
+  value: $[or(eq(variables['Build.Reason'], 'Manual'), eq(variables['Build.Reason'], 'Schedule'))]
 
 stages:
 - stage: Build
@@ -37,6 +39,17 @@ stages:
         command: 'custom'
         workingDir: 'react'
         customCommand: 'run pub'
+    - task: CodeInspector@2
+      displayName: "[Security Review] code inspector"
+      inputs:
+        ProductId: '606a5e0d-64b0-4237-9dca-eac200438452'
+      condition: eq(variables.securityScan, 'true')
+    - task: CodeQL3000Init@0
+      displayName: "[Security Review] CodeQL Init"
+      condition: eq(variables.securityScan, 'true')
+    - task: CredScan@3
+      displayName: "[Security Review] CredScan"
+      condition: eq(variables.securityScan, 'true')
     - task: PowerShell@2
       displayName: Generate Env File
       inputs:
@@ -259,4 +272,17 @@ stages:
         PathtoPublish: '$(Build.ArtifactStagingDirectory)'
         ArtifactName: 'HydraLabRelease'
         publishLocation: 'Container'
-      condition: eq(variables.fullBuild, 'true')
+      condition: eq(variables.fullBuild, 'true')
+    - task: CodeQL3000Finalize@0
+      displayName: "[Security Review] CodeQL Finalize"
+      condition: eq(variables.securityScan, 'true')
+    - task: securedevelopmentteam.vss-secure-development-tools.build-task-report.SdtReport@2
+    # https://strikecommunity.azurewebsites.net/articles/8216/how-to-enable-build-break-on-credscan-detections.html
+      displayName: "[Security Review] Create CredScan Security Analysis Report"
+      inputs:
+        GdnExportHtmlFile: true
+        GdnExportAllTools: false
+        GdnExportGdnToolBinSkim: true
+        GdnExportGdnToolCredScan: true
+        GdnExportGdnToolSemmle: true
+      condition: eq(variables.securityScan, 'true')